In less than a year, CMMC requirements will begin appearing in DoD RFIs and RFPs. Combining large organizational impact and a tight implementation schedule, CMMC requires immediate attention. But what is CMMC and what does it have to do with protecting the DoD supply chain? More to the point, what impact is it likely to have on your organization?
We’ll answer these and other questions in this post. The specific topics we address are:
- A Short CMMC Overview
- Controlled Unclassified Information in the DoD Supply Chain
- Why the DoD Supply Chain is Vulnerable
- How Cybersecurity Maturity Model Certification Addresses these Problems
- The CMMC Timeline
- Organizations that are Affected by CMMC
- How CMMC Will Impact Your Organization
A Short CMMC Overview
CMMC (Cybersecurity Maturity Model Certification) is a new DoD standard and security model. It combines various existing standards into one unified standard for cybersecurity. Once fully implemented, CMMC will have 5 notional levels (1-5). Sections L & M of future RFPs will include a required CMMC Level. Not being already certified, or the inability to achieve the required CMMC Level will result in a “no-go decision.”
CMMC addresses the security of Controlled Unclassified Information (CUI). CUI is sensitive (but unclassified) information that the government requires its handlers to keep safe. NIST-800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, outlines current CUI requirements. CMMC is the successor to 800-171, and will make CUI more secure throughout the DoD supply chain.
CUI in the DoD Supply Chain
The DoD’s supply chain comprises many multi-tiered supply chains of defense contractors and their suppliers. CUI is present throughout the entire supply chain, including nonfederal systems and organizations. Today, non-federal computer systems must follow NIST-800-171 to handle and protect CUI.
Unfortunately, despite NIST-800-171, the DoD supply chain remains vulnerable.
Why the DoD Supply Chain is Vulnerable
NIST-800-171 contains 110 CUI security controls of varying complexity that organizations must comply with. DoD relies on the organizations to assess their own compliance. This self-assessment introduces problems.
Self-assessment requires each organization to have staff that understand all the controls sufficiently to correctly implement them and correctly assess their implementation. They must also be able to do this consistently across their entire organization. This is a high bar that non-federal organizations sometimes fail to meet even without realizing it. This recent Exostar report illustrates some of the problems. DoD has seen that self-assessments are not completely reliable.
There is another factor that makes the supply chain vulnerable. Complying with a cybersecurity standard like NIST-800-171 doesn't guarantee that data is secure. As pointed out in this post on the Advanced Network Systems blog,
“...compliance does not equal security — it’s basically just a snapshot of how your security program meets a specific set of security requirements at a given moment in time.”
The security program also needs mature institutional cybersecurity practices and processes to be able to adapt to the changing threat environment in the field. Without both standards compliance and mature cybersecurity practices and processes, CUI is not truly secure.
These problems make the DoD supply chain a target for adversaries who want to steal critical military technologies.
How Cybersecurity Maturity Model Certification Addresses these Problems
Cybersecurity Maturity Model Certification addresses both of these problems. To increase the protection of CUI, CMMC:
- Replaces self-assessment with certified third-party audits.
- Assesses the maturity of a company’s cybersecurity controls and the maturity/institutionalization of its cybersecurity practices and processes.
The CMMC Timeline
As of November 2019, Draft CMMC Model v0.6 was available in PDF format. Per the DoD, this version of the document includes CMMCLevels 1 - 3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B. The updates to CMMC Levels 4 - 5 will be provided in the next public release.
The proposed CMMC rollout schedule is:
- CMMC Rev. 1.0 will be released in January 2020
- CMMC will be included in RFI’s starting in June 2020
- CMMC will be included in RFPs starting in Fall 2020
Organizations that are Affected by CMMC
A wide range of organizations will be affected by CMMC. Your organization may be subject to Cybersecurity Maturity Model Certificationif the DoD provides it with:
How CMMC Will Impact Your Organization
At the highest level: you will have to move from NIST-800-171 self-assessment to certified third-party CMMC audits.
According to the CMMC FAQ, to get audited and certified,
“Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.”
Since CMMC is still evolving, it isn’t clear what processes, and policies you will need to put in place to achieve any given level of certification. But with Cybersecurity Maturity Model Certification requirements scheduled to start appearing in RFIs in June 2020, you will need to move fast to get certified before that date.
We can help you through this challenging transition. Our experienced SecureStrux team is ready and welcomes the opportunity to help you achieve your CMMC Certification on time. Whether you need help planning the transition, managing the project, training your staff, or creating a compliance package for your auditors, we have the people and the skills you are looking for. Contact us today for more information.